Apple updates DMARC – Warning for senders

Apple announced last month they are switching their DMARC policy from “p=none” to a “p=quarantine” on the following domains:

mac.com

me.com

icloud.com

What does this mean?

If you send mail from these domains outside of Apple’s network you will see delivery issues.

Al Iverson of Spam Resource reports that: “If you have an email address in these domains, your ability to send outbound mail using an email service provider or other, non-Apple email platform to send mail, deliverability won’t look so good. Mail may not be blocked outright (Apple didn’t move to “p=reject”) but moving to “p=quarantine” means it’s much more likely that your mail could end up in the spam folder.”

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance and like SPF & DKIM, DMARC is an email validation method designed to detect and prevent email spoofing (it discourages people from using your domain without your permission). DMARC goes one step further however, in that it allows the sender to control what happens to email that does not pass DMARC.

How Does it Work?

DMARC builds on alignment of the From domain with SPF and DKIM authentication, but adds a reporting function between the sender and receivers to improve and monitor protection of the domain from fraudulent email.

DMARC in unique in that it lets the sender tell the receiver what to do if the DMARC does not pass – like “None” (do nothing), “Quarantine” (send it to the Junk) or “Reject” (block it). This removes some of the guesswork from the receiver’s handling of the failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages at the same time. DMARC also provides a way for the receiver to report back to the sender about messages that fail DMARC. Senders can now see a report of who is using their domain without permission.

Yahoo and AOL were the first large email providers to apply DMARC policy of “Reject” back in April, 2014. They both changed their DMARC policy asking all mail services to reject email claiming to come from their domains.

What can you do?

The best course of action is to start using your own domain name. If you don’t own your own domain, it’s time you did. The best way to avoid being affected by changes like these in the future is by using your own domain when you send email, and is something we’ve always recommended.

If people sign up at www.maggiescupcakes.com, the email should come from an email address that ends in @maggiescupcakes.com (not an @Aol, @icloud or @yahoo address).

By using your own domain, you have full control. You validate it once and you are on your way. No more worrying about ISPs affecting your delivery by changing their DMARC policies.

Why is Apple doing this?

When malevolent people impersonate a brand, such as Apples in an attempt to get your personal details, it’s abuse plain and simple and can lead people to think the email their looking at is real. DMARC is one of the ways receivers can check to see if the sender is really who they say they are thus, prevent spoofing.

My email is with Gmail (or Hotmail), are they going to be doing this too??

While they both have DMARC records in place, Gmail and Hotmail (Outlook) are not set to block anyone just yet. Gmail had said they would change to a “Reject” policy in 2016, but everyone is still waiting. While Yahoo, AOL and Apple may have been the first to take concrete action by changing their DMARC policies, it’s only a matter of time before the others follow suit. Here is a current list of domains current deployed with a “p=reject” DMARC policy:

yahoo.*

ymail.com

rocketmail.com

aol.com

adp.com

aetna.com

airbnb.com

americanexpress.com

aexp.com

americangreetings.com

applemusic.com

box.com

britishairways.com

chase.com

jpmchase.com

citibank.com

dhl.com

evernote.com

facebook.com

fedex.com

gap.com

groupon.com

instagram.com

linkedin.com

oldnavy.com

paypal.com

pinterest.com

pch.com

rollingstone.com

squarespace.com

twitter.com

ups.com

ftc.gov

senate.gov

usps.gov

usaa.com

wachovia.com

wellsfargo.com

whatsapp.com

What impact is this going to have on me?

I did a test back in 2015 using our Cakemail servers From a @Yahoo address and it was clear DMARC was well on it’s way. I sent a sample mailing to over 600 test accounts all over the world and at the time over 56% of the mail sent to the United States went missing (32.2% worldwide).

The list of ISPs that showed 100% block were:

Gmail

Yahoo (worldwide)

Hotmail/Outlook

AOL

ATT

Rogers

Bellsouth

BritishTelecom

Comcast

CompuServe

Netscape

SBC

Cantv.net

I decided to repeat this test again today and the results were virtually the same in 2018, with the exception of 100% now missing at Apple’s 3 domains.